For safe use of digital certificates, a careful check on the validity of the certificates is very important. This validity check can be made using a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP).
How does OCSP function?
OCSP displays the current status information about the validity of a certificate. Every time the browser of a visitor creates a secure https connection connection with a website, it will check the validity of the certificate by the CA (the certificate issuer). This is a standard and essential part of setting up the SSL connection; depending on the response from the CA, the connection may or may not be established.
What is OCSP stapling?
In this method, the webserver is the intermediary between the client browser and the CA. The webserver where the SSL certificate is installed on, provides the browser the cached OCSP response. This makes it un necessary for the browser of the visitor to make a separate connection to the CA. The OCSP response is digitally signed and time-stamped by the CA. This all makes OCSP stapling a safe and quick method to check the validity.
OCSP Must-Staple and OCSP Expect-Staple
Two new features were added after the implementation of OCSP, named Must-Staple and Expect-Staple. Although these techniques are new and prone to issues, they will ensure that OCSP will be the go-to validation check instead of CRL. Unfortunately, certain settings could "brick" your Apache and Nginx configuration, so its wise to use these techniques with caution.
Must-Staple is a technique where the web browser is capable of knowing absolutely certain if a website uses OCSP stapling. By this, browsers are able to do a hard fail when no OCSP stapling is provided by preventing the connection. Expect-Staple is a reporting mechanism which helps site owners to track the errors that visitors receive. This enables site owners to see if their OSCP stapling implementation was done correctly.
How do I enable OCSP stapling on my server?
At the moment of writing not all servers and browsers support OCSP stapling. If your server supports OCSP stapling, it is highly recommended to turn this feature on. The visitor won't notice, when using a browser that is compatible for OCSP stapling it will use that, otherwise just regular OCSP.
- Nginx 1.3.7+
- Windows Server 2008
- IIS 7.5 +
- Apache 2.4 +
- Chrome 12+ with Windows
- Internet Explorer 9+ from Vista and up
- Opera v11+